When creating an API token, allow fine grained scoped control.

An example use case is, when using LetsEncrypt to generate your certificates, you can perform a DNS challenge to authenticate control of the domain. This adds a TXT record to your domain, confirming you have access to that domain.

You currently need to give your "god-mode" API token to do this using DigitalOcean.

With scoped access, you could create an API token with "dns:modify" and that's all that API token would be allowed to do.

This would reduce the attack surface if the API token gets leaked from your droplet.